Tech Reference » Glossary - Computing » File Transfer Protocol (FTP) » Passive FTP

Passive FTP

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

passive ftp

From the server-side firewall’s standpoint, to support passive mode FTP the following communication channels need to be opened:

  • FTP server’s port 21 from anywhere (Client initiates connection)

  • FTP server’s port 21 to ports > 1024 (Server responds to client’s control port)

  • FTP server’s ports > 1024 from anywhere (Client initiates data connection to random port specified by server)

  • FTP server’s ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client’s data port)

Because Passive FTP uses High Port on the server, most firewall now block the High Ports and this may cause the Server not to work properly.

Example of Passive FTP connection:

[root@m8.mac-net.com]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100).
220 ready (vsFTPd 1.1.0)
Name (192.168.1.100:root): anonymous
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put testfile
local: testfile remote: testfile
227 Entering Passive Mode (192,168,1,100,181,210)

425 error

If the above 425 error on your browser of FTP client, it means that the data channel is blocked or closed between you and the server you are trying to connect to. Either the server does not support Passive FTP or the server is blocked by its firewall.

Note: To find the actual port multiply the fifth octet by 256 and then add the sixth octet to the total. Thus in the example below the port number is ( (14*256) + 178), or 3762. A quick check with netstat should confirm this information.

In short, Active FTP is good for to FTP server admin, but no good to the client side admin. On the other hand, Passive FTP is good to the client, but no good to the FTP server admin.

Updated On: 13.06.12

Tagged By: How to Allow IE to download files from an FTP server.

Leave your message, comment or feedback:
Your Name (shown) & Your E-mail (hidden) is used only to alert you when someone reply your message.